b'OFFICE OF INSPECTOR GENERAL\n\nAUDIT OF USAID\xe2\x80\x99s PRE-\nDEPLOYMENT ACTIVITIES\nFOR ITS GLOBAL\nACQUISITION SYSTEM\nAUDIT REPORT NO. A-000-07-004-P\nJULY 19, 2007\n\n\n\n\nWASHINGTON, DC\n\x0cOffice of Inspector General\n\n\nJuly 19, 2007\n\nMEMORANDUM\n\nTO:                  Director, Office of Acquisitions and Assistance, Michael F. Walsh\n                     Chief Information Officer, David C. Anewalt\n\nFROM:                Director IG/A/ITSA, Melinda G. Dempsey      /s/\n\nSUBJECT:             Audit of USAID\xe2\x80\x99s Pre-Deployment Activities for Its Global Acquisition System\n                     (Audit Report No. A-000-07-004-P)\n\nThis memorandum is our report on the subject audit. In finalizing the report, we considered your\ncomments on the draft report. Your comments are included in Appendix II.\n\nThis report contains six recommendations to help USAID improve its pre-deployment activities for\nits Global Acquisition System. Based on your response and the supporting documentation\nprovided, final action has been taken on Recommendation No. 4. In addition, management\ndecisions have been reached on Recommendation Nos. 1, 2, 3, 5, and 6. Please notify the\nBureau for Management\xe2\x80\x99s Audit, Performance and Compliance Division when final action is\ncompleted.\n\nI appreciate the cooperation and courtesy extended to each of the members of my staff during\nthe audit.\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0cCONTENTS\nSummary of Results ....................................................................................................... 1\n\nBackground ..................................................................................................................... 3\n\nAudit Objective .................................................................................................................. 4\n\nAudit Findings ................................................................................................................. 5\n\nDid USAID follow key best practices before deploying its\nGlobal Acquisition System?\n\n           USAID\xe2\x80\x99s Technical Infrastructure Not Formally Evaluated .........................................5\n\n           Software Not Formally Evaluated Against Performance Requirements.....................6\n\n           GLAS Software Did Not Provide Functionality for Incrementally-Funded\n           Contracts In Accordance With USAID\xe2\x80\x99s Business Processes ....................................8\n\n           Data Migration Not Adequately Planned......................................................................9\n\n           Data in Tracking System Not Linked to Test Results or Change Requests.............11\n\n           The GLAS Team Could Not Assure That Most Nonfunctional Tests\n           Were Performed .........................................................................................................12\n\nEvaluation of Management Comments ....................................................................... 14\n\nAppendix I \xe2\x80\x93 Scope and Methodology ........................................................................ 15\n\nAppendix II \xe2\x80\x93 Management Comments ....................................................................... 16\n\x0cSUMMARY OF RESULTS\nIn an effort to improve USAID\xe2\x80\x99s acquisition functionality worldwide through advanced\ntechnology and business process improvements in support of eGovernment initiatives,\nUSAID plans to implement a web-based, commercial off-the-shelf software package,\nreferred to as the Global Acquisition System (GLAS) by March 2008. (See page 3.) As\nsuch, this audit was conducted to determine whether USAID followed key best practices\nbefore deploying the system. These practices include:\n\n\xe2\x80\xa2       Preparing functional and technical requirements.\n\n\xe2\x80\xa2       Designing system interfaces.\n\n\xe2\x80\xa2       Managing project risk management.\n\n\xe2\x80\xa2       Testing.\n\n\xe2\x80\xa2       Migrating data. (See page 4.)\n\nIf followed, these practices will help optimize information technology enabled investments,\nensure service delivery, and provide a measure against which to judge if things go wrong.\n\nThis audit determined that, although USAID properly designed the approved interfaces\nwith its other systems and designed a good system for managing project risks, USAID did\nnot adequately follow best practices before deploying GLAS. USAID engaged in some\npositive practices such as maintaining a GLAS (1) program risk register that identified\nrisks to the project and cited mitigating actions in the event the risk became a real\noccurrence and (2) issues log that captured real events that could impact the project,\ntook corrective actions for those occurrences, and noted the outcomes of those actions.\nAlso, USAID accomplished fairly seamless interfaces of GLAS with its core financial\nsystem, known as Phoenix, and its operating data store. However, USAID did not\nadequately follow best practices before deploying its Global Acquisition System.\nSpecifically, deficiencies were found in GLAS pre-deployment activities in the manner in\nwhich the GLAS Team addressed (1) technical infrastructure 1 , (2) performance\nrequirements, (3) system functionality, (4) data migration planning, (5) test results and\nchange request tracking, and (6) nonfunctional testing. (See pages 5 through 13.)\n\nWe recommended that the GLAS Team (1) formally evaluate GLAS against USAID\xe2\x80\x99s\ntechnical infrastructure prior to full deployment of GLAS, (2) develop performance\nrequirements and test GLAS against those requirements prior to full deployment of\nGLAS, (3) identify a resolution for incremental funding functionality issues (4) develop\ncomprehensive mission data migration plans, (5) redesign its test results and change\nrequest tracking system, and (6) correct weaknesses in testing. (See pages 5 through\n13.)\n\n\n\n1\n The equipment, software, services, and products used in storing, processing, transmitting, and\ndisplaying information.\n\n\n                                                                                                  1\n\x0cIn response to our draft report, USAID agreed with the audit findings and all six\nrecommendations. Additionally, the Agency stated that many of the concerns cited in\nthe report were also identified during a recent Independent Verification and Validation,\nand mitigation activities had been initiated. USAID outlined the management decisions\nthat it had made to address each of the report\xe2\x80\x99s recommendations. In addition, it\nestablished target dates for implementing the recommendations. Based on the Agency\xe2\x80\x99s\ncomments and the supporting documentation provided, final action has been taken on\nRecommendation No. 4, and management decisions have been reached to address\nRecommendation Nos. 1, 2, 3, 5, and 6. (See page 14.)\n\n\n\n\n                                                                                      2\n\x0cBACKGROUND\nThe Procurement System Improvement Project is an effort to improve USAID\xe2\x80\x99s acquisition\nfunctionality worldwide through advanced technology and business process improvements\nin support of eGovernment initiatives. Specifically, USAID plans to automate its end-to-end\nprocurement process, while standardizing and streamlining the Agency\xe2\x80\x99s business\nprocesses. The project is designed to streamline business processes by replacing\nUSAID\xe2\x80\x99s (1) procurement function of the New Management System in Washington,\n(2) ProDoc system in Washington and overseas missions, and (3) manual spreadsheets in\nthe overseas missions. To accomplish this, USAID plans to implement a web-based,\ncommercial off-the-shelf software package, referred to as the Global Acquisition System\n(GLAS). In addition, USAID intends to fully interface GLAS with the Agency\xe2\x80\x99s core financial\nsystem, Phoenix. As of January 2007, USAID has spent over $12.2 million 2 for activities\ntoward the implementation of GLAS.\n\nIn December 2006, USAID piloted its GLAS software in 10 Washington Offices. According\nto current plans, the remaining system implementation schedule is as follows:\n\n      Activity                             Start Date                       Completion Date\n    Washington Deployment                   April 2007                          June 2007\n    Overseas Pilot                           June 2007                           July 2007\n    Overseas Deployment                    October 2007                        March 2008\n\nAccording to the Clinger-Cohen Act of 1996 (Public Law 104\xe2\x80\x93106), agencies should\nachieve the following for information technology (IT) investments:\n\n\xe2\x80\xa2       Use a disciplined process to maximize the value and assess and manage\n        the risks of IT acquisitions.\n\n\xe2\x80\xa2       Ensure specified requirements are met.\n\n\xe2\x80\xa2       Promote the effective and efficient design and operation.\n\nIn 2005, the IT Governance Institute\xc2\xae (established to advance international standards in\ndirecting and controlling an enterprise\xe2\x80\x99s information technology) issued Control Objectives\nfor Information and related Technology (COBIT 4.0). COBIT 4.0 provides best practices\nand presents activities in a manageable and logical structure. COBIT\xe2\x80\x99s best practices\nrepresent the consensus of experts and are strongly focused on control and less on\nexecution. These practices will help optimize IT-enabled investments, ensure service\ndelivery, and provide a measure against which to judge if things go wrong.\n\nUSAID\xe2\x80\x99s IT Governance implementation is based on COBIT 4.0.\n\n\n2\n  Unaudited. Note that the total estimated cost for GLAS is not clear because USAID combines\nGLAS budgetary information with the Joint Assistance Management System Project (JAMS). The\nProcurement System Improvement Project originally combined JAMS (a joint USAID/Department\nof State project to implement system for assistance instruments, e.g., grants) with GLAS, which is\na USAID-only system for acquisition instruments (e.g., contracts).\n\n\n                                                                                                3\n\x0cAUDIT OBJECTIVE\nThis audit was added to the OIG\xe2\x80\x99s annual audit plan to answer the following question:\n\n       Did USAID follow key best practices before deploying its Global\n       Acquisition System?\n\nFor this audit, key best practices are (1) preparing functional and technical requirements,\n(2) designing system interfaces, (3) managing project risk management, (4) testing, and\n(5) migrating data.\n\nA description of our scope and methodology is contained in Appendix I.\n\n\n\n\n                                                                                         4\n\x0cAUDIT FINDINGS\nAlthough USAID defined the interfaces and designed a good system for managing\nproject risks, USAID did not adequately follow best practices before deploying its Global\nAcquisition System (GLAS).\n\nUSAID designed the interface of GLAS with its core financial system and Operational Data\nStore 3 , to occur seamlessly, with adequate provisions and controls to minimize potential\nconflicts and errors. Furthermore, GLAS\xe2\x80\x99 commercial off-the-shelf (COTS) baseline\nfunctionalities launch and interface with web-based applications, such as Federal\nProcurement Data System - Next Generation and FedBizOpps (which are two\napplications used throughout the Federal Government). USAID also designed a\ncomprehensive scheme for managing the project risk. Examples included maintaining a\nGLAS program risk register, as well as a GLAS issues log, and a plan for identifying and\ncategorizing risks and mitigating high risks. However, the Agency did not adequately\nfollow best practices before deploying its Global Acquisition System. Specifically,\ndeficiencies were found in the areas of (1) technical infrastructure, (2) performance\nrequirements, (3) system functionality, (4) data migration planning, (5) test results and\nchange request tracking, and (6) nonfunctional testing. These findings are discussed\nbelow.\n\nUSAID\xe2\x80\x99s Technical Infrastructure\nNot Formally Evaluated\n\n    Summary:       USAID did not evaluate the overall impact on the technical\n    infrastructure of an integrated product with the Agency\xe2\x80\x99s financial system and other\n    external interfaces, as called for by COBIT 4.0. This problem occurred because\n    USAID took a reactive approach and planned to adjust the software and the\n    infrastructure, as necessary. Without an initial assessment of the impact on other\n    applications and the overall USAID infrastructure, the Agency can not be confident\n    that the network will remain stable and its performance uncompromised with the\n    introduction of GLAS.\n\nCOBIT 4.0, section PO3.2, \xe2\x80\x9cTechnological Infrastructure Plan,\xe2\x80\x9d calls for creating and\nmaintaining a technological infrastructure plan that is in accordance with the IT strategic\nand tactical plans. The plan is to be based on the technological direction and should\ninclude contingency arrangements and direction for acquisition of technology resources.\nIt should also consider changes in the competitive environment, economies of scale for\ninformation systems staffing and investments, and improved interoperability of platforms\nand applications.\n\nIn its solicitation for the COTS product, USAID included a description of the Agency\xe2\x80\x99s\ninfrastructure and telecommunication challenges. Further, as part of the technical\nresponse, each vendor was required to address any approaches or techniques that\noptimize the product\xe2\x80\x99s ability to perform in each of the following conditions:\n\n3\n A single repository that can be used to combine data from multiple source systems into a\nhomogeneous form for reporting purposes.\n\n\n                                                                                            5\n\x0c\xe2\x80\xa2    10BaseT LAN with 1 ms+ latency. 4\n\xe2\x80\xa2    128KB Bandwidth and 600ms + latency Wide-Area-Network 5 .\n\nIn evaluating the proposals, USAID assessed the COTS products\xe2\x80\x99 ability to meet the\nfunctional, certain technical (such as whether it would operate on certain platforms), and\nsystem deployment requirements. The assessments were documented on vendor\nfindings worksheets and ultimately became the basis for selecting the COTS product.\nWhile these assessments were comprehensive, USAID did not methodically evaluate\nthe impact of the prospective COTS product on USAID technical infrastructure, 6\nincluding the information technology environment bulleted above. Although USAID\nperformed a preliminary study of impacts of the software on existing systems,\napplications, and databases, the study was not complete and did not include the impact\nof GLAS on the network infrastructure as a whole. Specifically, USAID\xe2\x80\x99s preliminary\nstudy focused only on the impact of the software on data in each individual system,\napplication, and database; it did not evaluate the overall impact on the technical\ninfrastructure of an integrated product with the Agency\xe2\x80\x99s financial system and other\nexternal interfaces.\n\nThis problem occurred because the Agency took a reactive approach and planned to\nadjust the software and the infrastructure as necessary. Specifically, as a mitigation\nstrategy, the GLAS Team planned to conduct successive performance testing of the\nsystem throughout key phases of the implementation.\n\nWithout an initial assessment of the impact on other applications and the overall USAID\ninfrastructure, the Agency cannot be confident about the integrity (i.e., whether the\nnetwork will remain stable and its performance uncompromised with the introduction of\nthe COTS application) of the network.\n\n     Recommendation No. 1: We recommend that, prior to full deployment, the\n     Global Acquisition System Team, in collaboration with the Office of the Chief\n     Information Officer, (a) formally evaluate its technical infrastructure with respect\n     to the system implementation, determining impact on existing platforms and\n     applications, and (b) based on that evaluation, implement corrective actions to\n     ensure that interoperability of platforms and applications will be optimized.\n\nSoftware Not Formally Evaluated\nAgainst Performance Requirements\n\n    Summary: USAID did not evaluate the software against performance requirements\n    during the selection process, as prescribed by COBIT 4.0. This problem occurred\n    because the Agency did not define acceptable performance standards for GLAS.\n    Without timely development, consideration, and testing of performance\n    requirements, USAID runs the risk of not meeting performance needs of the end\n    users.\n\n\n4\n  Performance on a 10 Mbps Ethernet standard at 1 millisecond plus the latency of the network.\n5\n  Performance on a 128KB Bandwidth at 600 milliseconds plus the latency of the WAN.\n6\n  The equipment, software, services, and products used in storing, processing, transmitting, and\ndisplaying information.\n\n\n                                                                                              6\n\x0cCOBIT 4.0, section AI1.1, \xe2\x80\x9cDefinition and Maintenance of Business Functional and\nTechnical Requirements,\xe2\x80\x9d calls for identifying, prioritizing, specifying and agreeing on\nbusiness functional and technical requirements covering the full scope of all initiatives\nrequired to achieve the expected outcomes of the information technology-enabled\ninvestment program, and to define the criteria for acceptance of the requirements.\nRequirements should take into account, among other things, performance.\n\nFurther, COBIT 4.0, section AI2.5, \xe2\x80\x9cConfiguration and Implementation of Acquired\nApplication Software,\xe2\x80\x9d states that issues to consider when implementing a system\ninclude (among other things) the organization\xe2\x80\x99s information architecture, existing\napplications, interoperability with existing application and database systems, and system\nperformance efficiency.\n\nFinally, COBIT 4.0, section AI2.7, \xe2\x80\x9cDevelopment of Application Software,\xe2\x80\x9d provides\nguidance on software development (or, in this case, acquisition of a commercial off-the-\nshelf product). That section puts an emphasis on ensuring that automated functionality\nis developed in accordance with design specifications, development and documentation\nstandards and quality requirements. The guidance calls for approval and sign-off on\neach key stage of the application software development process following successful\ncompletion of functionality, performance and quality reviews. Issues to be considered\ninclude approval that design specifications meet business, functional and technical\nrequirements.\n\nHowever, USAID did not evaluate the software against performance requirements.\nSpecifically:\n\n\xe2\x80\xa2      USAID did not evaluate the software against performance requirements during\n       the selection process. Instead, after selection, USAID only measured the\n       network performance at USAID/Washington and selected Missions to gauge\n       performance in anticipation of enhancements to the existing infrastructure after\n       the establishment of acceptable performance standards for GLAS.\n\n\xe2\x80\xa2      System performance testing\xe2\x80\x94which should have been performed before the\n       system was deployed\xe2\x80\x94was not performed prior to deploying the system.\n\nThis problem occurred because the Agency did not define acceptable performance\nstandards for GLAS. The Test Summary Report revealed that specifications were still to\nbe defined or determined, based on user needs/expectations and Agency requirements\nin performance areas. For example, according to the Report, the system shall:\n\n\xe2\x80\xa2       Perform user requested transactions (server-in to server-out, measured at the\n        server) within the performance targets to be specified (emphasis added).\n\n\xe2\x80\xa2       Generate reports (measured at the reporting server) within the performance\n        targets to be specified (emphasis added).\n\n\n\n\n                                                                                       7\n\x0c\xe2\x80\xa2         Respond to user requested transactions (user-request to system-response,\n          measured at the client) within the performance targets calculated by multiplying\n          the server class target by the additional latency factors to be specified\n          (emphasis added).\n\n\xe2\x80\xa2         Perform transactions with other systems within the performance targets to be\n          specified (emphasis added).\n\nInstead of setting performance standards, the Agency has relied on contingency plans to\nmeet performance requirements. As such, any necessary improvements in the\napplication performance are expected to be addressed through tuning, compression or\ncaching capabilities.\n\nWithout timely development, consideration, and testing of performance requirements,\nUSAID runs the risk of not meeting performance needs of the end users.\n\n      Recommendation No. 2: We recommend that, prior to full deployment, the\n      Global Acquisition System Team, in collaboration with the Office of the Chief\n      Information Officer, develop realistic, objective performance requirements and\n      complete tests of the Global Acquisition System against those requirements, to\n      include taking appropriate corrective actions.\n\nGLAS Software Did Not Provide Functionality\nfor Incrementally-Funded Contracts\nIn Accordance With USAID\xe2\x80\x99s Business Processes\n\n\n    Summary: COBIT 4.0, section AI2.7 provides guidance on software development\n    and puts emphasis on ensuring that automated functionality is developed in\n    accordance with design specifications. However, GLAS does not provide for\n    functionality to record incrementally-funded contracts in accordance with USAID\xe2\x80\x99s\n    business processes. This problem occurred because, although the vendor was\n    aware of the need for incremental funding, the vendor did not have a detailed\n    understanding of USAID\xe2\x80\x99s business processes until they started actually working with\n    USAID. As a result, this significant functionality requirement of the Agency was met\n    through an inefficient workaround\xe2\x80\x94which was cumbersome for awards with multiple\n    line items.\n\n\nThe Clinger-Cohen Act of 1996, Title LI \xe2\x80\x93 Responsibility for Acquisitions of Information\nTechnology, Subtitle C \xe2\x80\x93 Executive Agencies, Sec. 5123 \xe2\x80\x93 Performance and Results-\nBased Management, Item 5, states that the head of the executive agency shall:\n\n         \xe2\x80\xa6analyze the missions of the executive agency and, based on the\n         analysis, revise the executive agency\xe2\x80\x99s mission-related processes and\n         administrative processes as appropriate before making significant\n         investments in information technology that is to be used in support of the\n         performance of those missions.\n\n\n\n\n                                                                                           8\n\x0cCOBIT 4.0, section AI2.7, \xe2\x80\x9cDevelopment of Application Software,\xe2\x80\x9d provides guidance on\nsoftware development (or, in this case, acquisition of a commercial off-the-shelf product).\nThat section puts an emphasis on ensuring that automated functionality is developed in\naccordance with design specifications, development and documentation standards and\nquality requirements. The guidance calls for approval and sign-off on each key stage of\nthe application software development process following successful completion of\nfunctionality, performance and quality reviews. Issues to be considered include approval\nthat design specifications meet business, functional and technical requirements.\n\nThe COTS application acquired for GLAS is ideal for fixed-price contracts where the\ncommitment equals the total estimated cost as well as the obligated amount. For a\nfixed-price contract, the line-item amount is automatically calculated. However, USAID\ntypically uses cost-type awards, whereby incremental-funding is commonly used.\nHowever, GLAS does not provide for this functionality in accordance with USAID\xe2\x80\x99s\nbusiness processes.\n\nThis problem occurred because, although the vendor was aware of USAID\xe2\x80\x99s need for\nincremental funding, the vendor did not have a detailed understanding of USAID\xe2\x80\x99s\nbusiness processes until they started actually working with USAID. According to Agency\nofficials, the application was designed to meet the needs of the majority of Federal\nagencies\xe2\x80\x99 business processes, but it did not completely meet the needs of USAID\xe2\x80\x99s\nprocesses.\n\nAs a result, USAID established a workaround requiring the user to manually adjust each\nline item to establish the total estimated cost. The workaround was cumbersome and\nmay be complicated for awards with multiple line items. As such, this deficiency will\nhave to be resolved because it is not an efficient solution in the long term.\n\nAccording to USAID officials, to address this issue, users were being provided significant\ntraining to work with the new process as designed in the software. In the meantime, the\nGLAS team has begun to consider other ways to bridge the gap between the software\nand USAID\xe2\x80\x99s business process for incremental funding. Nonetheless, we are making\nthe following recommendation.\n\n   Recommendation No. 3: We recommend that the Global Acquisition System\n   Team perform an analysis to identify and select the best method to resolve the\n   inefficiencies with incremental funding functionality to meet USAID\xe2\x80\x99s acquisitions\n   needs.\n\nData Migration Not Adequately Planned\n\nSummary: USAID did not adequately plan for its data migration for USAID/Washington\npilots and overseas mission pilots, as required. These problems occurred because the\nTeam did not develop detailed data migration plans for either Washington or overseas\nmissions. If data are not effectively migrated to GLAS from the legacy system, the\nGLAS project may not be successful, as users will not be able to perform their work.\n\nNational Institute of Standards and Technology Special Publication 800-64 Rev.1,\nparagraph 2.3.5, \xe2\x80\x9cDisposition,\xe2\x80\x9d discusses what activities should occur during the final\n\n\n\n                                                                                         9\n\x0cphase in the Software Development Life Cycle. According to that section, particular\nemphasis is to be given to proper preservation of the data processed by the system, so\nthat the data is effectively migrated to another system or archived in accordance with\napplicable records management regulations and policies for potential future access.\n\nHowever, as shown below, improvements were needed in data migration planning:\n\n\xe2\x80\xa2      The GLAS Team planned to migrate data to GLAS from the legacy system that\n       originally processed USAID/Washington pilot offices\xe2\x80\x99 transactions in one\n       operation. As such, in December 2006, 227 award files successfully migrated,\n       with 15 that did not migrate due to file recognition problems. Subsequently, the\n       GLAS Team realized that they did not completely and accurately map data\n       elements and locations within the legacy system to permit all intended data to\n       migrate into the appropriate fields within GLAS. Therefore, material segments of\n       the population of awards were inadvertently omitted. As such, a second\n       migration was necessary, in which an additional 224 award files\xe2\x80\x94almost 50\n       percent of the original intended awards\xe2\x80\x94migrated, with two award files not\n       migrating.\n\n\xe2\x80\xa2      The pilot data migration for overseas missions was planned for February and\n       March 2007, but was since rescheduled for June and July 2007. This\n       postponement by four months was to allow for further functional development of\n       the GLAS project prior to the mission migration. Further, after the GLAS team\n       re-examined its operations, they realized that Indefinite Quantity Contracts\n       (IQCs) were needed by the overseas pilot locations. Therefore, they accelerated\n       the migration of IQCs from December 2007 (which coincided with the original\n       project completion date) to May 2007.\n\nThese problems occurred because, although the GLAS Team developed a Data\nMigration Strategy, the Team did not develop detailed data migration plans for either\nWashington or overseas missions, to include defining the data structure for the fields of\ninformation to be entered into GLAS. This is particularly critical for USAID\xe2\x80\x99s overseas\nmissions because no uniform electronic record of acquisition data exists. Therefore,\neach mission will manually enter data into spreadsheets sent to them by the GLAS\nproject team. As such, detailed instructions on data to be entered into each field would\nhelp ensure that data entered is consistent worldwide.\n\nFurther, according to the GLAS Team, the original project schedule did not allow them\ntime to adequately review the data to be migrated and run test scripts to search for\nerrors in their data migration process. In addition, according to the Lessons Learned\nReport 7 , for future GLAS deployments a strategy needs to be identified to ensure all\nrecords will be migrated as planned.\n\nIf data are not effectively migrated to GLAS from the legacy system, the GLAS project\nmay not be successful, as users will not be able to perform their work. More detailed\nplanning could alleviate this. Although USAID has taken actions to correct the\nWashington data migration problems (as discussed above), we are making the following\nrecommendation to assist with the mission migration.\n\n7\n  This report identified those activities that team members believed went well during pilot\nimplementation as well as those areas where improvements could be made in future rollouts.\n\n\n                                                                                        10\n\x0c      Recommendation No. 4:      We recommend that, prior to the mission migration,\n      the Global Acquisition System Team develop and implement comprehensive\n      mission data migration plans that include defining data structure in fields to be\n      migrated and conducting test runs .\n\nData in Tracking System Not Linked to\nTest Results or Change Requests\n\n\n    Summary: The data in USAID\xe2\x80\x99s system used to track test problem reports could not\n    be referenced to tests results requiring follow-up or approved change requests to be\n    implemented, as required. This deficiency occurred because the system, known as\n    JIRA 8 , was not adequately designed as a tracking tool. As such, it created the\n    possibility that test problems may not be resolved in a timely fashion, and that change\n    implementation may not be easily verified to the specifics of the approved change\n    requests.\n\n\nCOBIT 4.0, section AI6, \xe2\x80\x9cManage Changes,\xe2\x80\x9d calls for a change management process\nthat is well developed and consistently followed for all changes. All changes are subject\nto thorough planning and impact assessment to minimize the likelihood of post-\nproduction problems.\n\nAccording to the Comprehensive Test Plan, all problems discovered during each test\nphase will be recorded and tracked by creating failed test reports via an electronic\ndatabase. The test problem reports will be re-tested by repeating the test procedures\nthat caused the original failure. Depending on the problem, it may be necessary to\nexecute additional test procedures to ensure that the problem has been resolved. The\nseverity of the problem will determine whether or not the fix and the release will pass\ntesting.\n\nAs problems were encountered, the GLAS testers and implementers entered test\nproblem reports into USAID\xe2\x80\x99s JIRA application. However, the data in JIRA were not\nindexed to (i.e., did not have a common reference number with) test results requiring\nfollow-up, or to approved change requests to be implemented.\n\nThis deficiency occurred because JIRA was not adequately designed as a tracking tool.\nAs such, it created the possibility that test problems may not be resolved in a timely\nfashion, and that change implementation may not be easily verified to the specifics of the\napproved change request. Further, test problem reports could not be traced to their\norigins.\n\nThe GLAS Team acknowledged this weakness and indicated that they would make\nchanges to provide greater traceability in JIRA. Nonetheless, to ensure that this\nredesign is followed through, we are making the following recommendation.\n\n\n\n\n8\n    JIRA is a bug tracking, issue tracking, and project management application.\n\n\n                                                                                          11\n\x0c    Recommendation No. 5: We recommend that the Global Acquisition System\n    Team carry through its redesign of the tracking system to include greater\n    traceability between JIRA and the sources of the test problems reported.\n\n\nThe GLAS Team Could Not Assure That\nMost Nonfunctional Tests Were Performed\n\nSummary: The GLAS team could not provide evidence that nonfunctional requirements\n(other than system performance) were tested, as required by the Comprehensive Test\nPlan for GLAS. Moreover, it was not clear that the validation method described in the\nTest Summary Report was actually applied. The primary cause of these testing\ndeficiencies was the rush to meet the deadline for the pilot deployment. Without\nevidence that nonfunctional requirements were tested\xe2\x80\x94using the proper validation\nmethodology\xe2\x80\x94and that the test results were as desired for the nonfunctional\nrequirements, GLAS may not meet USAID\xe2\x80\x99s nonfunctional requirements.\n\nAccording to the GLAS Comprehensive Test Plan, all test verification points will be\nsupported by screen prints captured during test execution. In addition, the methodology\nof validation (that is analysis, demonstration, inspection or testing) depended on the\nitem, procedure, or operation being tested.\n\nHowever, the GLAS team could not provide evidence that nonfunctional requirements\n(other than system performance), such as log-in password, print commands, failure of\nimproper operation execution, were tested, as required by the Comprehensive Test Plan\nfor GLAS. Moreover, in discussing validation with the contractor responsible for testing\nthe nonfunctional requirements, it was not clear that the validation method described in\nthe Test Summary Report was actually applied to the item, procedure, or operation\nbeing tested. For example, in the operation:\n\n\xe2\x80\xa2      \xe2\x80\x9cThe system shall require a log-in password that does not begin or end with a\n       number,\xe2\x80\x9d the tester thought the system had passed when the report stated that it\n       failed.\n\n\xe2\x80\xa2      \xe2\x80\x9cThe system shall provide function-specific on-line help text for each screen,\xe2\x80\x9d the\n       tester thought that the validation methodology should have been by Inspection,\n       rather than by Testing as listed in the report because these documents were\n       physical manuals rather than on-line help menus. Thus, in this case, the result\n       listed as \xe2\x80\x9cpassed\xe2\x80\x9d should have been \xe2\x80\x9cfailed.\xe2\x80\x9d\n\n\xe2\x80\xa2      \xe2\x80\x9cThe system shall mark or identify all Sensitive But Unclassified (SBU) data that\n       is displayed,\xe2\x80\x9d the tester said no SBU document was processed in the test\xe2\x80\x94yet\n       the test result said \xe2\x80\x9cpassed.\xe2\x80\x9d\n\nThe primary cause of these testing deficiencies was the rush to meet the\nDecember 2006 deadline for the pilot deployment. According to the GLAS team,\ntypically, non-functional requirements are verified by inspection or observation, as was\ndone with GLAS.        In the Lessons Learned Report, however, the GLAS team\n\n\n\n\n                                                                                       12\n\x0cacknowledged that several issues were uncovered after the system went live that should\nhave been identified in system testing. As such, the GLAS team decided to allow more\ntime for system testing.\n\nNonetheless, in the absence of written documentation, including screen prints when\napplicable, of when and under what circumstances the validation procedures were done,\nUSAID could not be assured that the nonfunctional requirements were ever tested.\nMoreover, without evidence that nonfunctional requirements were tested using the\nproper validation methodology, GLAS may not meet USAID\xe2\x80\x99s nonfunctional\nrequirements. Therefore, we are making the following recommendation.\n\n   Recommendation No. 6: We recommend that the Global Acquisition System\n   Team require the Contractor to provide all documentation described in the\n   Comprehensive Test Plan as support for the validation performed on\n   nonfunctional requirements.\n\n\n\n\n                                                                                   13\n\x0cEVALUATION OF\nMANAGEMENT COMMENTS\nIn response to our draft report, USAID agreed with the audit findings and described\nplanned actions to address the recommendations. Additionally, they stated that many of\nthe concerns cited in the report were also identified during a recent Independent\nVerification and Validation, and mitigation activities had been initiated. The Agency\xe2\x80\x99s\ncomments are included in their entirety, without attachments, in Appendix II.\n\nRegarding Recommendation Nos. 1, 2, 3, 5, and 6, the Agency outlined its plans to\naddress the audit recommendations and provided target dates for when final action\nwould be completed. Based on the Agency\'s comments and the establishment of target\ndates, management decisions have been reached for each of these recommendations.\n\nIn regard to Recommendation No. 4, the Agency stated that the GLAS Team had refined\nthe data migration plan to include defining data structure in fields to be migrated and\nscheduling dry runs, and had put this new plan into effect for pilot mission programs in\nJune 2007. Based on the Agency\'s comments and our review of the supporting\ndocumentation, final action has been taken for Recommendation No. 4.\n\nFinally, note that, in our final report, we modified the language in two of our\nrecommendations from the language used in the draft report sent to management, as\nfollows:\n\n\xe2\x80\xa2      For Recommendation No. 1, we broke the recommendation into two parts:\n       (a) formally evaluate its technical infrastructure with respect to the system\n       implementation, determining impact on existing platforms and applications, and\n       (b) based on that evaluation, implement corrective actions to ensure that\n       interoperability of platforms and applications will be optimized.\n\n\xe2\x80\xa2      For Recommendation No. 4, we replaced "scheduling dry runs" with "conducting\n       test runs," to encourage doing more than just preparing a schedule and to use\n       more common terminology.\n\nHowever, the modified language will not impact the management decisions on these\nrecommendations.\n\nIn their comments, USAID management disagreed with the statement that a reactionary\napproach was taken to plan the infrastructure needs for GLAS, stating that their\napproach was consistent with best practices. However, as stated in the report,\naccording to the GLAS Team, corrective actions would be taken as problems arose.\nUSAID, nevertheless, agreed to conduct a system impact analysis on the technical\ninfrastructure and other USAID applications. Therefore, no changes were made in the\nreport to address this comment.\n\n\n\n\n                                                                                     14\n\x0c                                                                             APPENDIX I\n\n\n\nSCOPE AND METHODOLOGY\nScope\nThe Office of Inspector General, Information Technology and Special Audits Division,\nperformed this audit in accordance with generally accepted government auditing\nstandards. The purpose of the audit was to determine whether USAID followed key best\npractices for the following key activities before deploying its Global Acquisition System:\n\n\xe2\x80\xa2      Preparing functional and technical requirements.\n\n\xe2\x80\xa2      Designing system interfaces.\n\n\xe2\x80\xa2      Managing project risk management\n\n\xe2\x80\xa2      Testing.\n\n\xe2\x80\xa2      Migrating data.\n\nAudit fieldwork was conducted at USAID headquarters in Washington, D.C., from\nNovember 28, 2006, through February 20, 2007.\n\nMethodology\nTo answer the audit objective, we obtained and reviewed GLAS documentation and\nconducted interviews with the GLAS project team. Specifically, using the IT Governance\nInstitute\xc2\xae\xe2\x80\x99s COBIT 4.0 as a guide, we (among other things):\n\n\xe2\x80\xa2      Reviewed a judgmental sample of requirements, plans for the technical\n       infrastructure, and the system configuration management process. We did not\n       evaluate the process in developing the requirements or assess the accuracy or\n       completeness of the requirements themselves.\n\n\xe2\x80\xa2      Determined whether interface specifications/standards were defined,\n       incorporated, and tested. However, we only reviewed interfaces which USAID\n       management had officially approved at the start of this audit.\n\n\xe2\x80\xa2      Assessed the risk management and contingency plans for high and medium\n       risks. We did not review the risk identification process for GLAS.\n\n\xe2\x80\xa2      Reviewed the overall test plan and resultant systems test, user acceptance test,\n       and performance test reports.\n\n\xe2\x80\xa2      Assessed the comprehensiveness of the data migration strategy, including data\n       preparation, testing, data migration, data clean-up and back-out plan.\n\nFinally, we followed up on recommendations from prior audits, as related to our audit\nobjective. We did not set a materiality threshold for this audit.\n\n\n                                                                                       15\n\x0c                                                                                   APPENDIX II\n\n\n\nMANAGEMENT COMMENTS\n\n\n                                                                                    June 29, 2007\n\n\nMEMORANDUM\n\nTO:             IG/A/ITSA, Melinda G. Dempsey\n\nFROM: M/CIO (Acting), Philip M. Heneghan\n            M/OAA, Michael F. Walsh\n\nSUBJECT:        Management Response to Office of Inspector General\xe2\x80\x99s Report: Audit of\n                USAID\xe2\x80\x99S Pre-deployment Activities for its Global Acquisition System (Draft\n                Report No. A-000-07-00X-P, March 30, 2007)\n\n    Thank you for the opportunity to respond to the subject draft audit report. We appreciate your\nreview and have provided a response that includes management decisions and comments.\n\n   Many of the concerns cited in the report were also identified during a recent Independent\nVerification and Validation (IV&V), and mitigation activities have been initiated.\n\n    Additionally, as a general caveat to the management comments listed in this response, it is\nimportant to note that mitigation activities and timelines are based on the assumption that\nrequested funding will gain timely approval.           The timeline for incorporation of the\nrecommendations set forth in this report is also based upon the assumption that requested funding\nis approved. Therefore, process improvement activities necessary to adhere to these\nrecommendations will be supported to the extent that funding and resources are available.\n\n   The following are management decisions regarding the proposed audit recommendations:\n\nRecommendation No. 1:\n\n\n\n\n                                                                                               16\n\x0cWe recommend that, prior to full deployment, the Global Acquisition System Team, in\ncollaboration with the Office of the Chief Information Officer, formally evaluate its technical\ninfrastructure with respect to the system implementation, determining impact on existing\nplatforms and applications. In addition, based on that evaluation, implement corrective actions to\nensure that interoperability of platforms and applications will be optimized.\n\nManagement Decision:\n\nThe Global Acquisition System (GLAS) Team and the Office of the Chief Information Officer\nwill conduct a system impact analysis on the technical infrastructure and other USAID\napplications. Based on the results of the impact analysis, the GLAS implementation plan will be\nadjusted by October 2008.\n\nRecommendation No. 2:\n\nWe recommend that, prior to full deployment, the Global Acquisition System team, in\ncollaboration with the Office of the Chief Information Officer, develop realistic, objective\nperformance requirements and complete tests of the Global Acquisition System against those\nrequirements, to include taking appropriate corrective actions.\n\nManagement Decision:\n\nThe Global Acquisition System (GLAS) Team and the Office of the Chief Information Officer\nwill develop performance requirements by April 2008. Performance testing and monitoring began\nduring the pilot mission programs in June 2007 and resulted in no issues. Based on the test\nresults at the various mission organizations, corrective action will be taken concurrent with\nworld-wide deployment.\n\nRecommendation No. 3:\n\nWe recommend that the Global Acquisition System Team perform an analysis to identify and\nselect the best method to resolve the deficiencies with incremental funding functionality to meet\nUSAID\xe2\x80\x99s acquisitions needs.\n\nManagement Decision:\n\nThe Global Acquisition System (GLAS) Team will assess the best methods to resolve the\ndeficiencies with the incremental funding functionality in PRISM to meet USAID\xe2\x80\x99s acquisitions\nneeds. A solution will be delivered by the software vendor via GLAS release 2.0 by January\n2008.\n\nRecommendation No. 4:\n\nWe recommend that, prior to the mission migration, the Global Acquisition System Team\ndevelop and implement comprehensive mission data migration plans that include defining data\nstructure in fields to be migrated and scheduling dry runs.\n\n\n\n\n                                                                                               17\n\x0cManagement Decision:\n\nThe Global Acquisition System (GLAS) Team has refined the data migration plan to include\ndefining data structure in fields to be migrated and scheduling dry runs. This new plan was put\ninto effect for pilot mission programs in June 2007. We recommend that this recommendation be\nclosed upon final report issuance.\n\nRecommendation No. 5:\n\nWe recommend that the Global Acquisition System Team carry through its redesign of the\ntracking system to include greater traceability between JIRA and the sources of the test problems\nreported.\n\nManagement Decision:\n\nThe Global Acquisition System (GLAS) Team will redesign the tracking system for release 2.0 to\ninclude traceability between JIRA and the sources of reported test problems by January 2008.\n\nRecommendation No. 6:\n\nWe recommend that the Global Acquisition System Team require the Contractor to provide all\ndocumentation described in the Comprehensive Test Plan as support for the validation performed\non nonfunctional requirements.\n\nManagement Decision:\n\nThe Global Acquisition System (GLAS) Team will require the Contractor to provide all\ndocumentation described in the Comprehensive Test Plan as support for the validation performed\non nonfunctional requirements by January 2008.\n\n\nAdditional Comments on Report\n        The following comments are being provided for your consideration in an effort to\nstrengthen your report.\n\nWe disagree with the observation that the GLAS team took a reactionary approach for the\nplanning of the infrastructure needs for GLAS. Consistent with best practices guidance from the\nSoftware Engineering Institute on COTS-Based Systems (CMU/SEI-2000-TR-010, An Activity\nFramework for COTS-Based Systems), the alignment of the system architecture with the known\ntelecommunications infrastructure constraints has been validated iteratively. Prior to selection of\nthe PRISM product in support of GLAS, baseline tests were conducted to determine whether the\napplication was capable of meeting performance requirements for the program. Additional\nperformance tests were conducted during the development cycle and prior to the LAC pilot \xe2\x80\x9cgo\nlive\xe2\x80\x9d decision. For each iteration, the application has been more mature in its configuration and\nthe performance tests have been used to validate alignment of the system architecture with the\nAgency\xe2\x80\x99s telecommunications infrastructure constraints. It is our intention to continue to monitor\nand evaluate the existing system, network, and infrastructure on a regular basis and develop\noptimization plans as needed to ensure system interoperability.\n\n\n                                                                                                18\n\x0cU.S. Agency for International Development\n        Office of Inspector General\n        1300 Pennsylvania Ave, NW\n          Washington, DC 20523\n            Tel: (202) 712-1150\n            Fax: (202) 216-3047\n            www.usaid.gov/oig\n\x0c'